kqlazure-data-explorerkusto-explorer
How to find a common element in two columns with Kusto (KQL)? Objective: find matching IPs to CIDRs
this is the dataset (image below):
Objective:
- find in both the SrcIP_s and DestIP_s columns elements that match a dynamic list of CIDRs (i.e. probably using ipv4_is_in_range())
In my silly attempts I managed two find matching CIDRs in both columns using mv-apply, but the end result only shows results when they match simultaneously both columns, which is not the expected result.
let customer_cidrs = dynamic(['172.16.1.128/27']);
AzureNetworkAnalytics_CL
| mv-apply SrcCIDR = customer_cidrs to typeof(string) on (where ipv4_is_in_range(SrcIP_s, SrcCIDR))
| mv-apply DestCIDR = customer_cidrs to typeof(string) on (where ipv4_is_in_range(DestIP_s, DestCIDR))
| project FlowDirection_s, SrcIP_s, DestIP_s, InMiBytes=round((InboundBytes_d/1048576),2), OutMiBytes=round((OutboundBytes_d/1048576),2)
Restriction:
- the *MiBytes data must be preserved (later I intend to sum it all, thus obtaining a comprehensive figure of how many Bytes each matching CIDR exchanged)
Expected result:
show all lines that match EITHER SrcIP_s or the DestIP_s columns without changing any other column value (i.e. exclude rows that don't match a customer_cidrs element).
Any ideas?
Solution
You may want to see if using the ipv4_lookup is going to work better for you rather than ipv4_is_in_range. It sounds like it could be a good fit for your use case.
let customer_cidrs = datatable (CIDR:string, Customer1:string) [
'172.16.1.128/27', 'Contoso',
'10.10.1.0/24', 'Wingtip',
'192.168.1.0/24', 'Northwind'
];
let AzureNetworkAnalytics_CL_T = datatable (FlowDirection_s:string, SrcIP_s:string, DestIP_s:string, InMiBytes:real, OutMiBytes:real)[
'I', '172.16.1.69', '172.16.1.132', 0.06, 0.04,
'I', '172.16.1.101', '172.16.1.132', 0.0, 0.0,
'I', '192.168.0.10', '192.168.1.50', 10.2, 15.7,
'O', '172.16.1.132', '1.1.1.1', 0.04, 0.0,
'O', '192.168.1.100', '10.10.1.14', 0.1, 1.6
];
AzureNetworkAnalytics_CL_T
| evaluate ipv4_lookup(customer_cidrs, SrcIP_s, CIDR, return_unmatched=true)
| evaluate ipv4_lookup(customer_cidrs, DestIP_s, CIDR, return_unmatched=true)
| where isnotempty(coalesce(Customer1, Customer11))
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Compare multiple column value and return column name with max value
- trying to find out week of year in kql
- Azure Data Explorer - plot graph per user over time
- Parse array & json to right numbers of column
- Turning off Kusto database cache policy not reflecting in reduced cache as shown by .show cache command
- Kusto command for generating create table & function script
- Get percent value from total sum row in pivot mode
- How to ingest inline into Azure Data Explorer Table from PowerShell?
- Using KQL and externaldata() operator to pull infromation from json file
- ADF Copy activity is making double column in adx as "infinity" for 1.7976931348623157E308 value
- Can I send data from Azure monitor / fabric to metabase
- KQL: how to exclude first and last incomplete bin?
- KQL query to extend new column with other row values
- How to create an empty bag in KQL?
- Column contains text contains other column
- Kql function to append columns
- Applying a KQL query to the transform_kql parameter through terraform
- KQL query to list the secrets and keys in keyvault that are expired or going to expire in 7 days
- Monitor HTTP traffic for Azure Web App using Log analytics and KQL query
- How to hide or change legend in "Run query and visualize results" logic app function?
- How to calculate time difference between the latest entries of two indirectly tables in Kusto (KQL)?
- Calculate the number of overlapping days for each device using KQL
- How good is performance of "has" operator in Kusto when RHS is not exactly one term?
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- Count how many elements are in an array created by make_set in kusto language
- Inserting data in KQL
- Stuck at PIM Diagnostics via KQL
- union with all fields
- How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?